Four Questions to ask Your ITAD Provider

Sep 29, 2017

Whether you are undergoing a refresh, relocating offices or beginning your journey to the cloud, you will need to ensure that your data is dealt with securely and for this, you will need to ensure that you engage with a reliable data processor. With so many companies claiming to be experts in IT disposal it is difficult to know who you can trust. To make sure you receive the IT Asset Disposal (ITAD) service that you and your data deserve, we’ve put together four key questions to ask your ITAD provider, to ensure you choose a reliable ITAD company.

Questions to ask your ITAD Provider:

Do They Have The Necessary Accreditations?

One of the most important factors in choosing an ITAD is checking that they have the necessary accreditations and licenses for IT asset and data disposal. The company should be WEEE (Waste for Electrical and Electronic Equipment) compliant and hold a waste carrier’s license. Ideally, the company should be an AATF (Approved Authorised Treatment Facility), too.

Key questions surrounding their Environmental Policy and downstream processes should be considered. For example – what is their environmental policy? Do they adhere to any environmental standards – i.e., ISO 14001? What percentage of equipment they collect is re-used, re-sold or refined? What is their landfill policy?

ISO standards are a good indication of the reliability of an ITAD company. ISO 27001 for example, demonstrates that the ITAD has systems in place to ensure the secure disposal of redundant IT equipment and the secure destruction of all confidential data. The business implications of a data breach are very significant. Not only would it damage your company’s reputation if customer information is released via a breach, but if your Company’s Intellectual Property is accessed, stolen or shared with the public, your Company may lose its competitive edge – adhering to ISO 27001, amongst other industry standards, puts you one step closer to ensuring you remain secure and compliant.

What about specific industry standards – such as being a member of ADISA? ADISA (The Asset Disposal and Information Security Alliance – http://adisa.global/) is an organization that recommends standards for safely disposing of information technology (IT) equipment while minimizing the risk of exposure and misuse of any sensitive data stored on that equipment. The ADISA audit process is multi-layered including full audits, unannounced operational audits and forensic audits thus ensuring that any ADISA certified company is constantly checked against this industry specific standard.

Do Their Data Destruction Methods Meet Your Needs?

Different types of data and IT assets will require different methods of data destruction, and it is important that your ITAD company can offer these. Options, dependent on the media to be erased/destroyed, includes:

Data Wiping/Overwriting/Erasure – the most popular choice of data erasure from any data bearing asset, including Mobile Phones, is Blancco. Blancco erasure solutions are the most respected and widely used product worldwide but there are other software erasure solutions on the market. You should look to ensure that any process for wiping/overwriting/erasing data is completed in line with NCSC (https://www.ncsc.gov.uk/) standards. You should ensure you ask your provider what will happen to any drives that fail to erase – will these be physically destroyed? What about solid state or hybrid drives also – will these take a different route?

Data Degaussing – using a machine that produces a strong electromagnetic field to destroy all magnetically recorded data, leaving the domains on hard drives and floppy discs in random patterns with no preference to orientation, thereby rendering previous data unrecoverable.

Data Destruction/Physical Shredding – The mechanical process to crush, chop, then shred into smaller pieces, is a standard process. The size of the shredded material is usually somewhere between 25mm – 6mm. This fragmented material is then sent on to refining partners who will continue the refining process. What record of items shredded will you receive? What destruction certificates are included for your own internal auditing records?

Other considerations will focus on whether you require your data to be disposed of on premise or off-site at your providers’ facility. What capabilities does your ITAD provider have to offer?

Will They Provide An Audit Trail?

What proof of data erasure/destruction will they provide? Will they ensure they utilise NCSC approved software for data erasure for example and if you have requested physical destruction via shredding, will they issue you with certificates of destruction?

Whereas under the UK’s current Data Protection Act it is simply the data controllers that are responsible for the secure disposal of IT assets, the new GDPR states that data processors will be held responsible too. This means that controllers must appoint an experienced and credible data processor to deal with their ITAD needs and both parties will be accountable to each other during the process.

Data Controllers and Processors must sign a contract agreeing that all data processing activities will comply with both the controller’s own specific requirements and the new regulations set out by the General Data Protection Regulation – how prepared for this new legislation are your ITAD provider? Have they revised their contracts to reflect this new legislation?

Do They Sub-Contract Any Third Parties?

Even if the ITAD Company does not use third party contractors during the actual process of disposing of your IT assets, they may require the help of a third party in the logistics of it.

If this is the case, you should seek proof that they have taken steps to maintain a solid chain of custody for the disposal process, such as GPS tracked vehicles that transport redundant assets. If your chosen ITAD company does use third party, or temporary staff during the disposal process, you should also seek proof that these individuals are security checked and cleared to minimise the risk of a data breach. What guarantees do they provide when equipment containing data is in transit?

What about their staff? Do they utilise any third party or temporary staff members? Are their staff vetted with the relevant background and security checks? Are their staff security cleared?

Choosing a reliable ITAD company is a vital part of ensuring that your company is compliant with the impending changes to data protection regulations – talk to us today to find out how EOL can help you or check out our accreditations – as the highest accredited ITAD in the UK, EOL ensure a secure and compliant IT Asset Disposal service for every client, every time (http://www.eolitservices.co.uk/accreditations/).